---
title: SecretSync
hide_title: true
---
import TierLabel from "../../../_components/TierLabel";

# SecretSync <TierLabel tiers="Enterprise" />

It provides semantics to sync [Kuberentes Secrets](https://kubernetes.io/docs/concepts/configuration/secret/) from management cluster to leaf clusters.

```yaml
apiVersion: capi.weave.works/v1alpha1
kind: SecretSync
metadata:
  name: my-dev-secret-syncer
  namespace: default
spec:
  clusterSelector:
    matchLabels:
      environment: dev
  secretRef:
    name: my-dev-secret
  targetNamespace: my-namespace
```

## Specification

The documentation for the api version `capi.weave.works/v1alpha1`

```go
type SecretSync struct {
	metav1.TypeMeta   `json:",inline"`
	metav1.ObjectMeta `json:"metadata,omitempty"`
	Spec              SecretSyncSpec   `json:"spec,omitempty"`
	Status            SecretSyncStatus `json:"status,omitempty"`
}

// SecretSyncSpec
type SecretSyncSpec struct {
	// Label selector for Clusters. The Clusters that are
	// selected by this will be the ones affected by this SecretSync.
	// It must match the Cluster labels. This field is immutable.
	// Label selector cannot be empty.
	ClusterSelector metav1.LabelSelector `json:"clusterSelector"`
	// SecretRef specifies the Secret to be bootstrapped to the matched clusters
	// Secret must be in the same namespace of the SecretSync object
	SecretRef v1.LocalObjectReference `json:"secretRef"`
	// TargetNamespace specifies the namespace which the secret should be bootstrapped in
	// The default value is the namespace of the referenced secret
	//+optional
	TargetNamespace string `json:"targetNamespace,omitempty"`
}

// SecretSyncStatus secretsync object status
type SecretSyncStatus struct {
	// SecretVersions a map contains the ResourceVersion of the secret of each cluster
	// Cluster name is the key and secret's ResourceVersion is the value
	SecretVersions map[string]string `json:"versions"`
}

```
